← Back to Blog

🚀 My First Google Workspace Add-On Went Live - Here's Exactly How the Verification Process Worked (And What I Wish I Knew Earlier)

When I started building my first Google Workspace Add-on - Form Prefiller - I thought the hardest part would be getting the code right.

Spoiler: it wasn't.

The real challenge was understanding Google's verification process - dozens of back-and-forth emails, unclear rejection notes, and hours spent tweaking OAuth scopes until everything finally lined up.

If you're building your first add-on, this post will save you weeks of confusion.

Here's exactly what the process looked like for me - what worked, what didn't, and what I wish someone had told me earlier.

💡 What I Built: Form Prefiller

Form Prefiller is a Google Forms™ add-on that helps automate form filling.

It lets users upload a spreadsheet (CSV/Excel/Google Sheets), map their columns to Google Form fields, and automatically generate personalized pre-filled links - all at once.

The idea came from watching schools, HR teams, and small businesses repeatedly fill the same forms with slightly different data.

It started simple - a tool for generating pre-filled links - but soon grew to include:

Support for all major field types: short answer, paragraph, multiple choice, checkbox, dropdown
AI-powered Smart Mapping: suggests field mappings automatically
Error validation: detects mismatched dropdown or checkbox values

Once I was happy with the product, it was time to publish it on the Google Workspace Marketplace.

That's when the real learning began.

🧩 The Two-Step Verification Process

Google's review isn't a single step.

There are actually two independent approval processes, handled by two different teams:

Step	Reviewer	What They Check
1. OAuth Verification	Google Cloud OAuth Team	Data access, API scopes, privacy policy, security, external requests
2. Marketplace App Review	Google Workspace Marketplace Team	Functionality, UI quality, listing copy, icons, and user experience

You'll usually need both.

If your add-on uses any sensitive or restricted scopes (and most do), OAuth verification must be completed first.

🔐 Part 1: The OAuth Verification Rollercoaster

I submitted my OAuth verification request, feeling confident.

Two days later, the reply landed in my inbox:

    "Please clarify why your app is requesting restricted scopes and provide a description of all external requests."
  

And that was just the beginning.

Over the next few weeks, I received nearly 20 emails from Google's verification team. Each one highlighted something small but critical - things I hadn't even realized mattered.

Here's what I learned the hard way 👇

1️⃣ Pin Every External Endpoint

If your script calls any API outside of Google - like a web app endpoint or OpenAI API - you must pin those URLs using the urlFetchWhitelist field in your appsscript.json.

    Tip: Document every external URL your add-on calls, even if it's just for logging or analytics.
  

2️⃣ Justify Every Scope - in Plain English

Each Google API scope you request must have a clear justification.

Example of what worked for me:

Purpose: Read form structure to identify question titles and options for generating pre-filled links.
Specific Scope: https://www.googleapis.com/auth/forms.currentonly
Limited Use: Access is limited only to the currently open Google Form. No other forms are read or modified.

You'll need to do this for every scope - including Gmail (gmail.send or gmail.compose), Drive, and external requests.

    Tip: Reviewers appreciate when your justification language mirrors Google's "Limited Use Policy." It shows you've done your homework.
  

3️⃣ Make Your Privacy Policy Reviewer-Friendly

This is where many developers stumble.

Your privacy policy must be clear, specific, and hosted on a public domain (not a Google Doc).

I hosted mine at:
👉 brightconstruct.co/form-prefiller#privacy-policy

Make sure it includes:

What data your app accesses and why
The exact scopes (listed in plain text)
A "Limited Use" section referencing Google's API policy
A link to revoke access: https://myaccount.google.com/permissions

And yes - the reviewer will actually click the link to check.

4️⃣ Explain AI Usage Transparently

Because Form Prefiller uses OpenAI for Smart Mapping, I had to clarify that no user data or responses are sent - only form field names and spreadsheet headers.

That one line made the difference between a 403 rejection and approval.

5️⃣ Expect Multiple Rounds (and Stay Patient)

It took me just over a month to get OAuth verification.

Each email from Google added more clarity - about HTTPS security, data flow, or endpoint pinning.

It was frustrating at times, but by the end, I understood my own system's privacy model far better than before.

🧾 Part 2: The Marketplace Review

Once OAuth verification was approved, I moved to the Marketplace App Review - and thankfully, this part was faster.

Here's what they checked:

Sidebar opened and functioned inside Google Forms
Logo icons followed size guidelines (32×32, 128×128, 256×256, etc.)
Description accurately reflected functionality
Screenshots and demo video worked
Privacy policy and Terms of Service were accessible

The Marketplace team also installed my add-on, tested generating pre-filled links, and even checked the AI mapping pop-up.

Within a week - I got the green light. ✅

⚡ What I Wish I Knew Earlier

Document your scopes before building. It saves time when writing justifications later.
Keep one Google Sheet for reviewer communication. Log each feedback point and how you fixed it - it prevents missing details.
Make a 45-second demo video. Even a quick Youtube walkthrough reduces confusion for reviewers.
Use clear, polite language in replies. Reviewers are humans, not gatekeepers. Patience and clarity go a long way.

🌱 What Happened Next

After approval, I released Smart Mapping - an AI-powered feature that automatically pairs form fields with spreadsheet columns.

Already helping early adopters pre-fill Google Forms faster - teachers, HR teams, and small businesses included.

The best part? Every scope, request, and dialog now fits within Google's verification framework cleanly. It's privacy-safe, transparent, and ready for scale.

🧭 Final Thoughts

If you're building your first Google Workspace Add-on, know this:

The review process isn't there to slow you down - it's there to make your product stronger and more trustworthy.

By the end of it, you'll have:

A clear privacy policy
Secure and transparent code
A better understanding of your users' data
And yes - a live add-on that you can proudly share with the world.

See Form Prefiller on Google Workspace Marketplace →

📚 Coming Next

This is part of a series on building Google Workspace Add-ons. Up next:

"The Complete Guide to Google OAuth Verification" - A deep dive into scope justifications, privacy policies, and exactly what reviewers ask for
"How to Pass the Google Marketplace App Review - UI, Listing & Policy Tips" - Screenshots, descriptions, icons, and what the Marketplace team actually tests

Want to be notified when these go live? Email me at info.brightconstruct@gmail.com and I'll add you to the list.

✉️ Questions or Building Your Own Add-on?

Feel free to reach out - I'm happy to share more details about the verification process:

📬 info.brightconstruct@gmail.com
🌐 brightconstruct.co